[*] msrpc on tcp/135

	[-] RPC Client:

		rpcclient -p 135 -U "" flight.htb

[*] netbios-ssn on tcp/139

	[-] Bruteforce SMB

		crackmapexec smb flight.htb --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"

	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:

		nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/kali/htb/flight/results/flight.htb/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/kali/htb/flight/results/flight.htb/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" flight.htb

[*] ldap on tcp/389

	[-] ldapsearch command (modify before running):

		ldapsearch -x -D "<username>" -w "<password>" -H ldap://flight.htb:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/kali/htb/flight/results/flight.htb/scans/tcp389/tcp_389_ldap_all-entries.txt"

[*] microsoft-ds on tcp/445

	[-] Bruteforce SMB

		crackmapexec smb flight.htb --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"

	[-] Lookup SIDs

		impacket-lookupsid '[username]:[password]@flight.htb'

	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:

		nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/kali/htb/flight/results/flight.htb/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/kali/htb/flight/results/flight.htb/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" flight.htb

[*] ldap on tcp/3268

	[-] ldapsearch command (modify before running):

		ldapsearch -x -D "<username>" -w "<password>" -H ldap://flight.htb:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/kali/htb/flight/results/flight.htb/scans/tcp3268/tcp_3268_ldap_all-entries.txt"

[*] wsman on tcp/5985

	[-] Bruteforce logins:

		crackmapexec winrm flight.htb -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'

	[-] Check login (requires credentials):

		crackmapexec winrm flight.htb -d '<domain>' -u '<username>' -p '<password>'

	[-] Evil WinRM (gem install evil-winrm):

		evil-winrm -u '<user>' -p '<password>' -i flight.htb

		evil-winrm -u '<user>' -H '<hash>' -i flight.htb

[*] msrpc on tcp/49667

	[-] RPC Client:

		rpcclient -p 49667 -U "" flight.htb

[*] msrpc on tcp/49674

	[-] RPC Client:

		rpcclient -p 49674 -U "" flight.htb

[*] msrpc on tcp/49690

	[-] RPC Client:

		rpcclient -p 49690 -U "" flight.htb

[*] msrpc on tcp/49699

	[-] RPC Client:

		rpcclient -p 49699 -U "" flight.htb